Outmoded concerns about security are holding many companies back from using third party private cloud services – and allowing competitors that embrace the benefits of cloud services to gain competitive advantage. If companies are to enjoy the transformative potential of cloud computing, they need to think differently about data security, custody, and ownership.
Enterprises should view cloud service providers not as outside third parties, but as trusted service providers with custody of the data. The roles are very clear. You are the owner of your data; the CSP is the custodian. It is the digital equivalent of leaving your valuables in a safety deposit box. People understand that a bank has resources that can better protect their valuables than they can themselves: a secured building, a vault, electronic surveillance, trained security personnel. Even though the valuables are not in their personal possession, people feel that they are more secure. That type of relationship is what a cloud engagement is, with the CSP acting as the bank.
CSPs are keenly aware that their role as custodian of your data is of critical importance not only to each individual customer but to their own survival. They understand that intellectual capital, financial information, personal information, healthcare information and other critical data are at stake, and they are willing and able to invest more than most other types of businesses to protect it. They have the economies of scale on their side. Like a bank, they have spent what it takes for the secured facilities, advanced systems, and highly trained personnel to provide a level of protection that a client could not achieve on their own.
Putting data first
Information security isn’t about protecting physical assets, but about protecting data, and CSPs are most able to do so. In addition to the inherent advantages of using a CSP, encryption can be used to add a layer of confidentiality and integrity to your data. Properly implemented, encryption technology means you can keep your data secure in transit and wherever it resides. Encryption technology means you can even prevent your CSP from ever seeing your data, even when hosted on its servers.
Thinking about security as logical rather than physical property presents a stimulating opportunity: perhaps working with a CSP could make corporate data even more secure than it would be if an enterprise maintained it in-house, under lock and key.
This makes sense. CSPs have a far broader view of cyber-vulnerabilities and new exploits, given the size and scope of their operations. This provides them with increased exploit visibility, which can enable them to protect data in ways individual companies cannot.
Secondly, process controls among reputable CSPs are often much stronger than those adopted by client companies. Mature IT service management and processes, ranging from patch and configuration management through to access control, are complex and difficult to do well. A company in which IT is the core competency is often at great advantage in this regard.
Choosing a cloud service provider
None of this means companies should completely relinquish responsibility for their data to a third party CSP. The legal responsibility to protect their data and their customers’ sensitive information remains with them, even when they choose to store it with a third party. This means cloud security relies on making a judicious choice of cloud service partner.
At this point in the evolution of cloud computing, such due diligence is a well-researched process, but it is only now being fully understood in some places. Companies must check the security controls of a prospective CSP – not only must they ask the right questions and ensure their potential data partner is able to apply appropriate security policy, but a site visit can sometimes help build peace of mind.
Look for several things when talking to a prospective provider. What kind of contract and Service Level Agreement (SLA) is the CSP willing to give you? Can it adhere to your company’s existing security policies and does it meet industry standard security standards?
Your cloud service provider should also be able to answer questions about its encryption policies, including which algorithms they are using and how they handle encryption keys. Key management and storage is independent of the service as a whole, so you can use a CSP and still manage encryption keys internally, however if you choose not to keep key management in-house then your service provider should be able to tell you how and where their keys are stored.
Data jurisdiction is also a significant issue. While the traditional preoccupation with physical ownership may be a red herring when it comes to data protection, understanding where your data is being stored is not. Regulatory and privacy laws vary greatly from country to country, so you may need your CSP to ensure data resides within certain boundaries. Disaster recovery and business continuity is also a crucial requirement for most companies.
The Cloud Security Alliance’s Cloud Controls Matrix sets out key requirements for cloud deployments, ranging from encryption and key management through to governance, risk management, and identity and access management. Search the Internet for cloud security controls and you’ll find similar guidance from other reputable organizations.
Ultimately, then, the security of your data is not so much defined by where it is stored, so much as by the logical and physical controls that are applied to it. In a highly mobile world in which data moves fluidly across networks, and the notion of a physical perimeter for IT is no longer relevant, we must reassess what it means for our information to be safe and secure. The cloud is your new safety deposit box – but it may be safer and more secure than ever before.
Eliot is an experienced information security expert with over thirty years of experience in the design and implementation of information security systems. He has gained knowledge and experience in a wide range of technologies, which have enabled him to provide true end-to-end data communications consultancy. Eliot has had extensive exposure to global internetworking environments including fortune 500 companies in the financial, pharmaceutical, air transport, hotel, chemical, food processing, manufacturing, and consulting services industries. He has been involved in many aspects of global projects, ranging from training end-users to designing and implementing portions of organizations’ global internetwork infrastructure.